03. Network Recon & Port Scanning

🛠️ Understanding Network Scanning: What You're Actually Doing

When you scan a network, you are essentially sending crafted packets and analyzing the responses. Different responses mean different things:

• Port Open: A service is listening and accepted your connection probe.
• Port Closed: The host is reachable but no service is listening on that port. The host sends back a RST (reset) packet.
• Port Filtered: A firewall is dropping your packets silently. You hear nothing back—the probe disappears into the void.
• Host Down: No response to any probes. Either the host doesn't exist, or it's configured to ignore all probes (a common hardening technique).

Understanding these four states lets you map the attack surface of any network from the outside.

🧪 Try it yourself – basic ping test: In your terminal, type: ping -c 4 scanme.nmap.org. If you see replies with time values, the host is alive. If you see '100% packet loss', either the host is down or a firewall blocks ICMP.

📡 Nmap: The Complete Scanner Toolkit

Nmap (Network Mapper) was created by Gordon Lyon (Fyodor) and is the gold standard for network discovery and security auditing. It's built into Kali Linux and every major penetration testing distribution. Here is a comprehensive breakdown of its core capabilities:

Discovery Scans — Finding What's Alive:

• nmap -sn 192.168.1.0/24 — Ping sweep. Sends ICMP Echo, TCP SYN to port 443, TCP ACK to port 80. Quickly maps which hosts are online in an entire subnet. Does NOT scan ports.
• nmap -sn --send-ip 192.168.1.0/24 — Bypass ARP resolution on local networks (useful in specific scenarios).

Core Scan Types — Finding Open Doors:

• TCP SYN Scan (-sS): The default and most important scan. Sends a SYN packet. If SYN-ACK returns, the port is open—Nmap immediately sends RST to abort the handshake without completing it. Called 'stealth scan' or 'half-open scan' because it never fully connects, making it less likely to appear in application logs (though it WILL appear in firewall logs). Requires root/administrator privileges to send raw packets.
• TCP Connect Scan (-sT): Completes the full TCP three-way handshake. Slower and more detectable—application logs will record the connection. Used when you don't have root privileges or when scanning through certain proxies.
• UDP Scan (-sU): Scans UDP ports. Slower and less reliable because UDP is connectionless—many services simply don't respond at all. Critical because services like DNS (53), SNMP (161), and DHCP (67/68) run on UDP and are frequently misconfigured.
• NULL Scan (-sN), FIN Scan (-sF), Xmas Scan (-sX): Send malformed TCP packets. On RFC-compliant stacks, closed ports respond with RST; open ports respond with nothing. These bypass simple stateless firewalls that only block SYN packets. Does not work reliably on Windows systems.
• Idle/Zombie Scan (-sI): Extremely stealthy. Uses a third-party 'zombie' host with predictable IP ID numbers. The attacker never sends packets directly to the target—the zombie does. The target sees traffic from the zombie, never the attacker. Requires finding a suitable zombie host.

Intelligence Gathering — What's Running:

• nmap -sV -p 22,80,443,3306 target.com — Service Version Detection. Sends service-specific probes to identify not just WHAT service is running but exactly WHICH version. 'Apache httpd 2.4.49' is actionable intelligence—you can immediately search for CVEs against that exact version.
• nmap -O target.com — OS Fingerprinting. Analyzes quirks in the TCP/IP stack—initial window sizes, TTL values, TCP options—to identify the operating system. Comparing against Nmap's database of thousands of known fingerprints.
• nmap -A target.com — Aggressive Scan. Combines -O, -sV, -sC (default scripts), and traceroute in one command. Comprehensive but very noisy—guaranteed to trigger IDS alerts.

The Script Engine (NSE) — Automated Intelligence:

• nmap --script default target.com — Runs the default script category (safe, commonly useful checks).
• nmap --script vuln target.com — Checks for known vulnerabilities. Runs scripts that test for specific CVEs—like checking if SMB is vulnerable to EternalBlue.
• nmap --script brute -p 22 target.com — Attempts brute-force credential attacks against detected services.
• nmap --script 'http-*' target.com — Runs all HTTP-related scripts—discovering directories, checking for web server misconfigurations, testing for common vulnerabilities.

Timing and Stealth — Speed vs. Detection Risk:

• -T0 (Paranoid): 5 minutes between packets. Virtually undetectable but scanning a single host takes hours.
• -T1 (Sneaky): 15 seconds between packets. Designed to evade IDS threshold-based alerts.
• -T3 (Normal): Default. Balanced speed and reliability.
• -T4 (Aggressive): Faster. Assumes a good network connection. Often used in internal pentest engagements.
• -T5 (Insane): Maximum speed. Will trigger IDS. Packets may be lost on slow networks.

⌨️ How to run your first Nmap scan in the terminal:

1. Open a terminal window (Ctrl+Alt+T in Kali).
2. Type: nmap --version – confirm Nmap is installed.
3. Type: sudo nmap -sS -F scanme.nmap.org – the -F scans only the top 100 ports (fast).
4. Observe the output: look for lines with 'open' next to a port number.
5. If you get 'Permission denied', re-run with sudo.

🚪 Critical Ports Every Security Engineer Must Memorize

Open ports are potential attack surfaces. These are the most significant in real-world engagements:

• 22 — SSH: Secure Shell remote administration. Primary brute-force target. Weak or default passwords lead directly to full system compromise. Check for key-based auth, disable root login, use fail2ban.
• 23 — Telnet: Completely plaintext. No encryption whatsoever. Credentials are transmitted in clear text readable by anyone sniffing the wire. Should never exist in modern environments. Any open Telnet port is an immediate critical finding.
• 25 — SMTP: Email sending protocol. Open mail relays allow spammers and phishers to send mail appearing to come from your domain.
• 53 — DNS: Zone transfer misconfigurations expose every hostname and IP in your network to the public. DNS is also used for C2 communication (DNS tunneling) and data exfiltration.
• 80/443 — HTTP/HTTPS: Web traffic. Every web application vulnerability lives here—SQLi, XSS, SSRF, IDOR, broken authentication.
• 139/445 — SMB: Windows file sharing. The EternalBlue exploit (CVE-2017-0144) used port 445 to spread WannaCry to 200,000 machines. An externally exposed SMB port is a critical emergency.
• 161 — SNMP: Network device monitoring. Default community strings 'public' and 'private' leak complete device configuration including routing tables and interface details. Often exploited to map internal networks.
• 3306 — MySQL: Database server. Default or weak credentials plus an internet-facing MySQL port = full database dump in under a minute.
• 3389 — RDP: Windows Remote Desktop. Massive ransomware entry vector. BlueKeep (CVE-2019-0708) and other RDP vulnerabilities allow unauthenticated remote code execution. Externally exposed RDP is one of the most common initial access vectors for ransomware groups.
• 6379 — Redis: In-memory database. Frequently deployed with no authentication in development environments—then accidentally exposed. An unauthenticated Redis server can be leveraged to write SSH keys to the server and achieve remote code execution.
• 27017 — MongoDB: NoSQL database. Default configuration has no authentication. In 2017, attackers wiped thousands of exposed MongoDB instances and demanded ransom for the data.

📋 Lab drill: In your terminal, run sudo nmap -sS --top-ports 20 scanme.nmap.org. Compare the open ports you see against this critical ports list. Which ones appear? Write them down – those are your attack surface.

🕵️ Evasion Techniques — How Attackers Hide Their Scans

A scan that gets detected and blocked provides no intelligence. Advanced attackers use these techniques to make their reconnaissance invisible:

• Decoy Scans (-D RND:10): Nmap sends the same probes from 10 randomly spoofed IP addresses simultaneously. The target's logs show 11 scanners, with no way to identify the real attacker's IP among the noise.
• Slow Scans (-T0, -T1): IDS systems alert on threshold patterns—'source IP X hit 1000 ports in 10 seconds.' Space probes 15 seconds apart and no IDS threshold triggers. The scan takes hours but stays invisible.
• Fragment Packets (-f): Splits the TCP header across multiple IP fragments. Older or simple firewalls inspect only the first fragment and miss the full context of the packet.
• Source Port Manipulation (--source-port 53): Some poorly configured firewalls trust traffic originating from port 53 (DNS). Setting the scan's source port to 53 bypasses these rules.
• Proxy Chains: Routing scans through TOR, SOCKS5 proxies, or SSH tunnels. The target sees the exit node's IP, never the attacker's real address. proxychains nmap -sT target.com (note: requires -sT because raw sockets cannot be proxied).

🧪 Try evasion in the lab: Run sudo nmap -D RND:5 scanme.nmap.org -p 80. Nmap will show 'Decoys' in the output. Then check your router or firewall logs if you have access – you'll see multiple source IPs.

🛡️ Defensive Countermeasures — Detecting Reconnaissance

Your IDS, firewall, and SIEM should be configured to detect scanning activity before it turns into exploitation:

• Threshold Alerting: Alert when a single source IP accesses more than 20 ports within 10 seconds. This catches fast scans.
• Behavioral Analysis (Suricata, Zeek): Detect specific packet signatures — TCP packets with no flags set (NULL scan), FIN+PSH+URG flags (Xmas scan), sequential port access patterns.
• Honeypots and Darknets: Deploy unused IP ranges with no legitimate services. Any packet destined for those IPs is inherently suspicious. Honeypots are the best reconnaissance detection tool because they generate zero false positives—legitimate users never touch them.
• Port Knocking / Single Packet Authorization (SPA): Services like SSH are hidden behind a secret knock sequence. Scanners see all ports as closed. Only clients who perform the correct knock sequence can cause the port to open—completely invisible to scanners.
• Firewall Drop vs. Reject: Configure firewalls to DROP packets rather than REJECT them. REJECT sends back an RST/ICMP unreachable response, which confirms the host exists and the port is closed. DROP sends nothing, making it harder for scanners to distinguish filtered ports from nonexistent hosts.

🧪 Lab Mission: Hands-On Reconnaissance (exact commands to run)

Authorized Target: scanme.nmap.org (officially provided by the Nmap project for practice scanning)

Work through each task in order, typing exactly what you see. Keep a notepad open to record your results.

1. Confirm the host is alive: Type ping -c 4 scanme.nmap.org. What % packet loss do you see? Record it.
2. TCP SYN scan top 1000 ports: Type sudo nmap -sS scanme.nmap.org. List every open port (look for 'open' not 'filtered').
3. Service version detection: Replace [your ports] with the ports from step 2. Example: sudo nmap -sV -p 22,80,443 scanme.nmap.org. Write down each service version (e.g., 'OpenSSH 7.4').
4. OS fingerprinting: Type sudo nmap -O scanme.nmap.org. What OS does Nmap guess? If it says 'too many fingerprints', don't worry – note the closest match.
5. Default script scan: Type nmap -sC scanme.nmap.org. Look for lines starting with '|' – those are script outputs. What extra info appears (e.g., SSH host keys, HTTP titles)?
6. Vulnerability scan on HTTP port: Type nmap --script vuln -p 80 scanme.nmap.org. Wait for completion. Does any script report a CVE ID? (It might say 'not vulnerable' – that's still a valid result.)
7. Decoy scan: Type sudo nmap -D RND:5 scanme.nmap.org -p 22. Look at the 'Nmap scan report' line – you'll see multiple IPs listed as decoys. Your real IP is still there but mixed in.

Analysis Questions: Which of your scan types would most likely trigger an IDS? Which scan revealed the most useful intelligence for potential exploitation? If you were defending this server, what changes would you make based on your findings?

⚠️ Legal Reminder: Port scanning without written authorization is illegal under the Computer Fraud and Abuse Act (CFAA) and equivalent laws worldwide. Only scan systems you own or have explicit written permission to test. scanme.nmap.org is the ONLY external host you are authorized to practice on. Scanning any other domain without permission is a crime.

🔁 If a command fails:
- 'command not found' → install nmap: sudo apt install nmap
- 'Permission denied' → add sudo: sudo nmap ...
- 'Host seems down' → try nmap -Pn scanme.nmap.org (skips ping)
- Scan takes forever → press Ctrl+C to cancel, then add -T4 and -F for faster scanning.

✅ Module 03 Summary

• Nmap is the industry standard for network discovery. Master -sS (SYN scan), -sV (version detection), -O (OS detection), and --script (NSE scripts).
• The four port states are Open, Closed, Filtered, and Open|Filtered. Each tells you something different about the target's security posture.
• Know ports 22, 80, 443, 445, 3306, 3389, 6379, and 27017 by heart—these are the most common real-world attack surfaces.
• Attackers evade detection using decoys, slow timing, packet fragmentation, and proxy chains. Defenders counter with behavioral analysis, honeypots, and drop (not reject) firewall rules.
• Always scan methodically: discover → port scan → version detect → vulnerability check. Never skip steps.
• Final terminal check: Run nmap -h | grep -E '(sS|sV|O|script)' – this shows you the flags you just learned. Keep this cheatsheet nearby for future labs.